Current source for cryptographic processor

ABSTRACT

To provide increased security against differential power analysis attacks, a data processing device is provided with a current converter that draws current from an external supply and cyclically apportions drawn current between a charge storage device and a processor such that the drawn current varies independently of the instantaneous power demand of the processor. The data processing device includes: a processor; a charge storage device coupled to the processor; and a current source for supplying the processor with operating current, and adapted to vary its output current independently of the instantaneous power demand of the processor.

The present invention relates to cryptographic devices such as thosetypically installed in smart cards and other devices, which may havevulnerability to power analysis attacks to obtain information therefrom.

Many cryptographic devices are implemented using microprocessors andassociated logic on devices such as smart cards. It is often necessaryto ensure that important data stored on smart cards, such ascryptographic keys and the like, is kept secure. A number of poweranalysis techniques have been published that facilitate the obtaining ofdata from the smart card that would otherwise, in the course of normalinput and output operations, be securely encrypted. In particular,analysis of the power consumption of the logic performing an encryptionor decryption operation may be used to establish the round keys used inthe encryption or decryption operation.

Such techniques are discussed, for example, in Kocher et al:“Differential Power Analysis”, www.cryptography.com and Messerges et al:“Investigations of Power analysis Attacks on Smartcards”, Proceedings ofUSENIX Workshop on Smartcard Technology, May 1999, pp. 151-161. Thepower consumption of a smart card is conventionally strongly related tothe number of bit transitions occurring at each clock pulse. Statisticalanalysis of the power dissipation of the smart card during successivecycles of a cryptographic algorithm has been shown to yield sufficientinformation to obtain the cryptographic keys in use.

Differential power analysis attacks rely on correlation between thepower dissipation traces and the data processing operations of theprocessor logic and the ability to average many such traces over time.

It is an object of the present invention to provide a power supply andmode of operation of a cryptographic processor that improves thesecurity of cryptographic processors against power analysis attacks.

According to one aspect, the present invention provides a dataprocessing device including:

-   -   a processor,    -   a charge storage device coupled to the processor,    -   a current source for supplying the processor with operating        current, and adapted to vary its output current independently of        the instantaneous power demand of the processor.

According to another aspect, the present invention provides a method ofoperating a data processing device, comprising the steps of:

-   -   drawing current from an external supply; and    -   cyclically apportioning drawn current between a charge storage        device and a processor within the data processing device such        that the drawn current varies independently of the instantaneous        power demand of the processor.

Embodiments of the present invention will now be described by way ofexample and with reference to the accompanying drawings in which:

FIG. 1 illustrates a power supply for a processor according to apreferred embodiment of the invention;

FIG. 2 shows a schematic diagram illustrating the various functionalblocks of the power supply of FIG. 1; and

FIG. 3 is a graph illustrating the current switching control of apreferred power supply.

With reference to FIG. 1, various possible embodiments of a DC-DCconverting power supply for a cryptographic processor are now described.

A current source 10 draws current from a supply voltage V_(CC) andsupplies a current I_(DD) to a processor 11. The processor 11 may be anyform of data processing logic circuitry. A decoupling capacitor Creceives current from the current source 10 when the current supplied bythe current source 10 exceeds the requirements of the processor 11, andsupplies current to the processor when the current supplied by thecurrent source falls short of the requirements of the processor. Thefunction of capacitor C could also be implemented by any suitablealternative charge storage mechanism.

In a first embodiment, the current source 10 comprises a first currentsource 12 which supplies substantially constant current I_(CC) at twodifferent current levels. A first one of these current levels is higherthan an average demand of the processor and the second one of thesecurrent levels is lower than an average demand of the processor 11.Switching between the current levels occurs on a periodic or aperiodicbasis as will be illustrated later.

During periods in which the first one of the current levels is beingdelivered, the voltage V_(DD) supplied to the processor will rise, asexcess current is stored in the capacitor C. During periods in which thesecond one of the current levels is being delivered, the voltage V_(DD)will fall, as the shortfall in current is supplied (discharged) fromcapacitor C.

The result is a saw tooth voltage V_(DD). Over a period of time, theaverage current I_(CC) supplied by the current source 10 will be equalto the average current demand IDD of the processor. However, it will benoted that the instantaneous values of current I_(CC) supplied by thecurrent source 12 very rarely match the instantaneous values of currentdemand I_(DD) of the processor 11.

The switching of the current levels of the current source 12 isdetermined independently of the instantaneous activities of theprocessor, so that the frequency and phase of the saw tooth voltageV_(DD) do not reflect the immediate activities of the processor. Inother words, frequency and phase of the voltage V_(DD) are not linked toan internal clock frequency of the processor, nor to data manipulationoperations being carried out by the processor 11.

The control of the current source 12 typically will also include somehysteresis, which is advantageous in maintaining a lack of correlationbetween the processor activity and the frequency and phase of the sawtooth voltage V_(DD).

The processor 11 is controlled by an internal oscillator clock of whichthe frequency is voltage dependent. Typically, the lower the voltagesupply V_(DD) to the processor, the lower the clock frequency of theprocessor. Conversely, the higher the voltage supply V_(DD) to theprocessor, the higher the clock frequency of the processor. This meansthat the duration of any procedure performed by the processor (forexample, a RSA calculation or a DES/AES encryption/decryption operation)will depend upon the level of the supply voltage V_(DD).

In a differential power analysis attack, it is necessary to align manysuccessive power traces so that corresponding processing operations arealigned in the time axis and can be averaged. This becomes very muchmore difficult when the frequency of operation of the processor iscontinually varying, because the effective time base of successive powertraces is continually changing.

The processor might also be asynchronously designed, which will alsoresult in the duration of any procedure performed by the processor beingdependent upon the level of supply voltage V_(DD).

In a further embodiment, the current source 10 may include, in additionto bi-level current source 12, a second current source 13 which isadapted to deliver a pseudo-noise current component I_(N) to the currentsupply. The noise current I_(N) varies on a random or pseudo-randombasis. The second current source 13 may be operated in a number ofdifferent ways.

When I_(N) is controlled by a pseudo-noise generator it will hide thetrigger points that are necessary in a differential power analysisattack in order to provide a reference point on the time axis, to alignmultiple traces for averaging. The pseudo-noise generator thereforemakes triggering of suitable analysis equipment (eg. a digital samplingoscilloscope) even more difficult.

If the clock of the pseudo-noise generator 13 has a fixed frequency,then analysis of power traces by adding a number of power traces willfilter out the noise. However, the bigger the amplitude of the noisecurrent I_(N), the more traces are needed to remove the noise and thegreater the blurring of target patterns and spikes in the power traces.Therefore, the noise current I_(N) is preferably a significantproportion of the bi-level current I_(CC).

Preferably, the peak value of the pseudo-noise current I_(N) is smallerthan the bi-level current I_(CC) supplied by the first current source12. In a preferred arrangement, the peak noise current I_(N) liesapproximately in the range 5 to 10% of the bi-level current I_(CC)supplied by the first current source 12.

In a preferred arrangement, the pseudo-noise generator 13 is initialisedfor each instruction sequence of the processor 11. If the pseudo-noisegenerator is initialised for each instruction sequence of the processor,then the noise pattern will be the same in each power trace for thatinstruction sequence. Thus, when adding the power traces to try toremove noise, the noise pattern will be enhanced rather than averagedout. In this case, the differential power analyst must first determinethe noise pattern and subtract it from each power trace before addingthe power traces together. Every mismatch between the true noise patternand the deduced pattern that is subtracted will then add togetherresulting in spurious spikes in the averaged trace. These spikes maysuccessfully hide the true data spikes that the analyst is seeking.

In a further arrangement, the pseudo-noise generator 13 is clocked bythe same clock as the processor 11, and the noise generator isinitialised for each instruction sequence of the processor. In this way,the noise is substantially repeated. Adding a number of power tracestogether will result in a substantially constant noise signal. Someparts of the noise traces will add together and other parts will becancelled out. Adding more traces or subtracting traces will not beeffective at removing the noise component.

With reference to FIG. 2, the regulation of the current source I_(CC)will now be described.

In the preferred arrangement, the regulation of the current source 10 isperformed automatically such that the average current I_(CC) (+I_(N) ifa noise current generator 13 is included) supplied by the currentgenerator 10 will match the average current demand of the processor 11.

The current regulator adapts the operation of the current supply whenthe average current demand I_(DD) of the processor varies over time.

The supply voltage V_(DD) is permitted to vary between an upper voltagelevel and a lower voltage level which are within the operatingspecification of the processor, such that the processor can beguaranteed to operate correctly. The current generator 10 must varycurrent level such that at the higher current level, the processorsupply voltage V_(DD) tends to rise, and such that at the lower currentlevel the processor supply voltage V_(DD) tends to fall. The upper levelof V_(DD) could be fixed by a zener diode D (FIG. 1) to prevent damageto the processor.

In the preferred arrangement of FIG. 2, a current switch control circuit20 is operative to switch the current source 12 between a first, highercurrent level and a second, lower current level. The first current levelis sufficient to cause the voltage V_(DD) to rise under normal operationof the processor 11. The second current level is sufficient to cause thevoltage V_(DD) to fall under normal operation of the processor 11.

A threshold detection circuit 23 monitors V_(DD) and detects a rise (orfall) of V_(DD) to the upper (or lower) threshold levels. Upon reachingthe higher threshold voltage level, the current switch control circuit20 switches the current supply I_(CC) to its second (lower) currentlevel. Upon V_(DD) reaching the lower threshold voltage level, thecurrent switch control circuit 20 switches the current supply 10 back toits first (higher) current level.

In a preferred arrangement, a timer circuit 22 is provided which isstarted when the upper threshold voltage is detected. The timer circuit22 then determines the time period t for the processor supply voltageV_(DD) to reach the lower threshold voltage. The operation of this timercircuit 22 is illustrated graphically in FIG. 3.

The timer circuit 22 determines whether the time period t falls within apermissible window t_(max) to t_(min). If the time period lies betweent_(max) and t_(min) (example t₂), no action is taken. If the time periodis less than t_(min) (example t₁), this is communicated to a currentlevel setting circuit 21 which operates to increase the second (lower)current level. If the time period is greater than t_(max) (example t₃),this is communicated to the current level setting circuit 21 whichoperates to decrease the second (lower) current level. Preferably, theadjustments to the current levels are made incrementally. The systemwill always move towards an operation condition in which the downwardpath of the saw tooth wave pattern of V_(DD) has a period betweent_(max) and t_(min).

A similar control arrangement may be applied, mutatis mutandis, to thefirst (upper) current level using the timing of the upward path of thesaw tooth wave.

In this way, the periodicity of the voltage level V_(DD) may bemaintained within predetermined bounds and the current source iscontrolled so as to vary the voltage output V_(DD) to the processorindependently of the instantaneous power demand of the processor.

If the current demand of the processor increases significantly, it ispossible that the first (upper) level current is insufficient toincrease V_(DD). If this occurs, an override circuit 24 may come intooperation to override the normal operation of the current level settingcircuit 21 and/or current switch control circuit 20.

For example, override circuit 24 may detect that V_(DD) remains belowthe lower voltage level for a predetermined time. If this occurs, theoverride circuit 24 may trigger the current level setting circuit 21 toset the highest possible current level. It may also be configured toprevent the current switch control circuit 20 from further switching orvary the switching period until V_(DD) has recovered.

Alternatively, override circuit 24 may sense a non-rising V_(DD) duringa first (upper) level current phase and perform a similar action.

If the current demand of the processor decreases significantly, it ispossible that the second (lower) level current is too high to decreaseV_(DD). If this occurs, the override circuit 24 may come into operationto override the normal operation of the current level setting circuit 21and/or current switch control circuit 20.

For example, override circuit 24 may detect that V_(DD) remains abovethe higher voltage level for a predetermined time. If this occurs, theoverride circuit 24 may trigger the current level setting circuit 21 toset the lowest possible current level. It might also prevent the currentswitch control circuit 20 from further switching or vary the switchingperiod until V_(DD) has recovered.

Alternatively, override circuit 24 may sense a non-rising V_(DD) duringa first (upper) level current phase and perform a similar action.

In an alternative embodiment, a fixed first (higher) current level maybe used and only the second (lower) current level varied. In a stillfurther embodiment, a fixed second (lower) current level may be used andonly the first (upper) current level varied. The second (lower) currentlevel may be as low as zero.

The zener diode D may be used to clamp the voltage and consume anysurplus current. For low supply voltages of, for example 1.8 V, it maybe difficult to obtain a good zener diode. In such a case, the zenerdiode D could be replaced with another voltage clamping arrangement, forexample a voltage comparator and transistor.

In a general sense, it will be noted that the effect of the circuitsdescribed above is to cyclically apportion current that is drawn from anexternal supply rail V_(CC) between a processor 11 and a charge storagecircuit 10 in such a manner the current drawn from the external supplyV_(CC) varies independently of the instantaneous power demand of theprocessor. The control circuitry ensures, however, that theinstantaneous and average power demands of the processor are always met.

The decoupling capacitor C filters out most of the high frequencyvariations in current supply I_(CC). The bi-level constant currentsource 12 producing I_(CC) also decreases any high frequency variationin the external supply current drawn from supply rail V_(CC) as a resultof critical data switching operations within the processor 11. Thecapacitor C also suppresses voltage spikes on the supply voltage thatmay temporarily shut off the current source, because the capacitormaintains current supply to the processor 11. This also applies tovoltage spikes that are induced by an attacker to influence theprocessor's activity. This may include spikes that are purposefullytimed by an attacker so as to prevent a critical operation of theprocessor being performed and thereby cause leakage of usefulinformation.

Broader spikes or interruptions in the power supply V_(CC), for whichthe capacitor C is unable to sustain power to the processor 11 areconventionally dealt with by appropriate processor reset circuitry (notshown).

For additional security, the internal oscillator of the processor 11should be made immune from influence by external factors, such asvarying the voltage supply V_(CC). Supply voltage variations outsidecertain predefined limits preferably will initiate processor or systemreset using control circuitry known in the art.

The repeating changes in the current source 12 output current I_(CC)makes triggering in a differential power analysis attack difficult. Inaddition, the varying speed of the processor 11 resulting from the sawtooth supply voltage V_(DD) means that power traces will not correctlyalign with one another, in that the time base will be varying from traceto trace.

The invention has been described with reference to an embodiment inwhich the current source 10 includes a bi-level constant current source12, which results in a saw tooth supply voltage V_(CC). It will beunderstood that the principles of the invention can also be effectedusing a current source 10 adapted to switch between multiple discretelevels, which would result in a supply voltage V_(DD) that has a verymuch more complex profile.

Similarly, the current source 10 may be adapted to vary output currentcontinuously between two predetermined levels providing that acontinuously varying voltage V_(DD) is achieved. The function of thecyclically varying output of the current source 12 is to ensure that theprocessor supply voltage V_(DD) varies over time as a function of someparameter which is not linked to instantaneous power demand of theprocessor.

It will be understood that for security against power analysis attackson the processor 11, it is important that the voltage node V_(DD) is notaccessible to an external probe. Therefore, the processor 11, capacitorC (or other charge storage device), and current source 10 are preferablyintegrated onto a single integrated circuit (or formed as separatedevices within a single sealed device package) for which there is noindication (direct or indirect) of the voltage V_(DD) provided at any ofthe output pins of the package.

Other embodiments are intentionally within the scope of the appendedclaims.

1. A data processing device including: a processor; a charge storagedevice coupled to the processor; and a current source for supplying theprocessor with operating current, and adapted to vary its output currentindependently of the instantaneous power demand of the processor.
 2. Thedevice of claim 1 in which the charge storage device comprises acapacitor in series with the current source, and across which theprocessor is connected in parallel.
 3. The device of claim 1 in whichthe current source is adapted to periodically or aperiodically switchbetween two different current levels.
 4. The device of claim 1 in whichthe current source is adapted to periodically or aperiodically switchbetween multiple current levels.
 5. The device of claim 3 in which theinterval between switching current levels is determined by an averagepower demand of the processor.
 6. The device of claim 1 in which thecurrent source comprises: a first current source adapted to providesubstantially constant current at at least two different current levels,the first current source switching between current levels on a periodicor aperiodic basis; and a second current source adapted to provide anoise current that varies on a random or pseudo-random basis.
 7. Thedevice of claim 1 further including control means adapted to maintainthe supply voltage to the processor between an upper voltage limit and alower voltage limit.
 8. The device of claim 1 further including a zenerdiode adapted to maintain the supply voltage to the processor below anupper voltage limit.
 9. The device of claim 7 in which the control meansincludes current switching means for switching the current sourcebetween a first, higher current level and a second, lower current level,the current switching being triggered by the supply voltage to theprocessor respectively reaching the lower voltage limit and the uppervoltage limit.
 10. The device of claim 9 further including a timer fordetermining a time period taken for the processor supply voltage toreach a lower voltage limit from an upper voltage limit, or vice versa.11. The device of claim 10 further including current setting means forvarying the first current level and/or the second current level of thecurrent source if the timer determines that the time period fallsoutside predetermined limits.
 12. The device of claim 11 in which thecurrent setting means raises the first current level if the timerdetermines that the time period for reaching the lower voltage limitfalls below a first predetermined threshold.
 13. The device of claim 11in which the current setting means reduces the first current level ifthe timer determines that the time period for reaching the lower voltagelimit exceeds a second predetermined threshold.
 14. The device of claim11 in which the current setting means reduces the second current levelif the timer determines that the time period for reaching the uppervoltage limit falls below a first predetermined threshold.
 15. Thedevice of claim 11 in which the current setting means raises the secondcurrent level if the timer determines that the time period for reachingthe upper voltage limit exceeds a second predetermined threshold. 16.The device of claim 9 in which the control means includes means fortemporarily inhibiting the current switching means if the supply voltageto the processor fails to move towards the desired upper or lowervoltage limit.
 17. The device of claim 1 in which the processor has aninternal clock, the frequency of which is dependent upon the supplyvoltage to the processor.
 18. The device of claim 1 in which theprocessor is a cryptographic processor.
 19. The device of claim 1incorporated into a smart card.
 20. A method of operating a dataprocessing device, comprising the steps of: drawing current from anexternal supply; cyclically apportioning drawn current between a chargestorage device and a processor within the data processing device suchthat the drawn current varies independently of the instantaneous powerdemand of the processor.
 21. The method of claim 20 further includingthe step of using the drawn current to generate a current flow to theprocessor and the charge storage device, that is periodically oraperiodically switched between two different current levels.
 22. Themethod of claim 20 further including the step of using the drawn currentto generate a current flow to the processor and the charge storagedevice, that is periodically or aperiodically switched between multipledifferent current levels.
 23. The method of claim 21 further includingthe step of determining the interval between switching according to anaverage power demand of the processor.
 24. The method of claim 20further including the steps of: using a first current source to deliversubstantially constant current at at least two different current levels,switching the first current source between current levels on a periodicor aperiodic basis; using a second current source to provide asuperposed current that varies on a random or pseudo-random basis anddelivering the combined current of the first and second current sourcesto the processor and the charge storage device.
 25. The method of anyone of claims 20 to 24 further including the step of maintaining asupply voltage to the processor between an upper voltage limit and alower voltage limit.
 26. The method of claim 25 further including thestep of switching a current source between a first, higher current leveland a second, lower current level, when the supply voltage to theprocessor respectively reaches the lower voltage limit and the uppervoltage limit.
 27. The method of claim 26 further including the stepsof: determining a time period taken for the processor supply voltage toreach a lower voltage limit from an upper voltage limit, or vice versa,and varying the first current level and/or the second current level ofthe current source if the time period falls outside predeterminedlimits.
 28. The method of claim 27 further including the step of raisingthe first current level if the time period for reaching the lowervoltage limit falls below a first predetermined threshold.
 29. Themethod of claim 27 or claim 28 further including the step of reducingthe first current level if the time period for reaching the lowervoltage limit exceeds a second predetermined threshold.
 30. The methodof claim 27 further including the step of reducing the second currentlevel if the time period for reaching the upper voltage limit fallsbelow a first predetermined threshold.
 31. The method of claim 27further including the step of raising the second current level if thetime period for reaching the upper voltage limit exceeds a secondpredetermined threshold.
 32. The method of claim 26 further includingthe step of temporarily inhibiting the current switching if the supplyvoltage to the processor fails to move towards the desired upper orlower voltage limit.
 33. The method of claim 20 further including thestep of controlling the frequency of operation of the processor as afunction of the supply voltage to the processor.
 34. A data processingdevice substantially as described herein with reference to theaccompanying drawings.
 35. A method of operating a data processingdevice substantially as described herein with reference to theaccompanying drawings.